The issue of privacy and protection of personal data involves not only users and consumers, but inevitably also companies which, regardless of their size, have to manage their own information and that of their customers every day.
The importance of managing information assets
Being able to protect themselves in a safe way, therefore, is fundamental and for various reasons
- to avoid incurring costly penalties, both civil and criminal;
- to avoid ruining the company's reputation
- to guarantee security in this field to one's own clients and the ability to respond to requests that may be made by the Authority.
The subject of personal data protection and the processing of personal data are governed by the EU Regulation 2016/679 (GDPR) and the EU Directive 2016/680, respectively, and the national implementing legislation.
The GDPR contains numerous provisions applicable to artificial intelligence, although AI is never explicitly mentioned.
The processing of personal data using AI technologies, in fact, may present significant risks in protecting the rights of data subjects, consequently, these rights must be protected through the application of the GDPR rules.
GDPR articles that apply to IA systems
The regulatory environment relating to data protection is particularly complex and constantly evolving. In addition to this, there is a rapid technological development and the increasing attention that users and consumers give to the protection of their data.
The most relevant articles of the GDPR that find application in AI systems are as follows:
- Articles 13 and 14 relating to the principle of transparency, from which derives the obligation for the owner who intends to process data, including by using automated decision-making processes, to inform the data subject of this process, also providing him with meaningful information on the logic used.
- Article 22 i.e. the right of the data subject not to be affected by automated decision making, including profiling, unless such a process:
- is necessary for the conclusion or performance of a contract between the data subject and a data controller;
- is authorized by Union law or the law of the Member State to which the data controller is subject;
- is based on the explicit consent of the data subject.
- Article 25 by which all procedures that deal with personal data must always comply with the principles of privacy by design and privacy by default: it follows that compliance with the principles for data processing must be taken into account right from the design and implementation stage of the AI system.
- Articles 44 et seq. dictate the rules for personal data transfers outside the EEA, a very frequent treatment in AI systems operating on the cloud.
RSM operates with a highly competent multidisciplinary team to support its clients in complying with the European Privacy Regulation GDPR 679/2016 and Legislative Decree 101/2018 in the following areas:
- organizational and risk assessment
- IT and cybersecurity
- DPO role
RSM Risk and Advisory Services team has developed a methodology that covers all phases of the privacy project by addressing governance and processes: starting from the definition of roles and responsibilities, DPO (Data Protection Officer), formalization of procedures, privacy risk management, etc. .
The many experiences in GDPR projects have also allowed RSM to develop knowledge about the most innovative technological solutions available on the market and thus to be able to offer an advanced approach to privacy management.